OXSessionLifecycle: Difference between revisions
(changed formatting) |
(changed formatting) |
||
Line 102: | Line 102: | ||
One of the first things the frontend does after having been loaded by your browser is trying to revive a possibly existing session. For this, the frontend issues the autologin call: | One of the first things the frontend does after having been loaded by your browser is trying to revive a possibly existing session. For this, the frontend issues the autologin call: | ||
GET /ajax/login?action=autologin&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7 HTTP/1.1 | |||
GET /ajax/login?action=autologin&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7 HTTP/1.1 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 | ||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 | Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; '''open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3''' | ||
Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; '''open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3''' | |||
HTTP/1.1 200 OK | |||
HTTP/1.1 200 OK | Date: Thu, 19 May 2011 12:47:42 GMT | ||
Date: Thu, 19 May 2011 12:47:42 GMT | Expires: Sat, 06 May 1995 12:00:00 GMT | ||
Expires: Sat, 06 May 1995 12:00:00 GMT | Content-Type: text/javascript; charset=UTF-8 | ||
Content-Type: text/javascript; charset=UTF-8 | Pragma: no-cache | ||
Pragma: no-cache | Cache-Control: post-check=0, pre-check=0 | ||
Cache-Control: post-check=0, pre-check=0 | Keep-Alive: timeout=5, max=99 | ||
Keep-Alive: timeout=5, max=99 | Connection: Keep-Alive | ||
Connection: Keep-Alive | Transfer-Encoding: chunked | ||
Transfer-Encoding: chunked | |||
976 | |||
976 | {'''"session":"4bb7202edae54094855b5a545d7123c3"''',"random":"eebfe64f606447d6a64d26cacff35976","modules": /* SOME STUFF */ | ||
{'''"session":"4bb7202edae54094855b5a545d7123c3"''',"random":"eebfe64f606447d6a64d26cacff35976","modules": /* SOME STUFF */ | |||
Note the cookie containing the '''Session ID''', this cookie, formerly set by the 'store' call, is used to retrieve the session. If a session could be found it is returned, much like a regular login response. | Note the cookie containing the '''Session ID''', this cookie, formerly set by the 'store' call, is used to retrieve the session. If a session could be found it is returned, much like a regular login response. | ||
Line 132: | Line 129: | ||
Finally, and for completeness sake, a session can be closed by issuing a 'logout' request: | Finally, and for completeness sake, a session can be closed by issuing a 'logout' request: | ||
GET /ajax/login?action=logout&session=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 | |||
GET /ajax/login?action=logout&session=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 | Host: localhost | ||
Host: localhost | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 | ||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 | Content-Type: application/x-www-form-urlencoded | ||
Content-Type: application/x-www-form-urlencoded | Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3 | ||
Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3 | |||
HTTP/1.1 200 OK | |||
HTTP/1.1 200 OK | Date: Thu, 19 May 2011 12:47:52 GMT | ||
Date: Thu, 19 May 2011 12:47:52 GMT | Expires: Sat, 06 May 1995 12:00:00 GMT | ||
Expires: Sat, 06 May 1995 12:00:00 GMT | Content-Type: text/javascript; charset=UTF-8 | ||
Content-Type: text/javascript; charset=UTF-8 | Pragma: no-cache | ||
Pragma: no-cache | Cache-Control: post-check=0, pre-check=0 | ||
Cache-Control: post-check=0, pre-check=0 | Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=b6727314bd3949579859ee8f327b24dd; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | ||
Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=b6727314bd3949579859ee8f327b24dd; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | Set-Cookie: open-xchange-session-2H65ETpH7sX1kOWi6eyw=09f43d699b2946808afefe667c91580b; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | ||
Set-Cookie: open-xchange-session-2H65ETpH7sX1kOWi6eyw=09f43d699b2946808afefe667c91580b; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | Set-Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | ||
Set-Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ | Content-Length: 0 | ||
Content-Length: 0 | Keep-Alive: timeout=5, max=90 | ||
Keep-Alive: timeout=5, max=90 | Connection: Keep-Alive | ||
Connection: Keep-Alive | |||
Notice that the session secret cookie and the session id cookie are removed. | Notice that the session secret cookie and the session id cookie are removed. |
Revision as of 14:51, 19 May 2011
Lifecycle of an OX Session
This page describes in detail how a session is created, the components of a session and how they work together and which stages a session goes through during its existence.
Creating a session
Creating a session is a very straight forward process. Let's fire up a network sniffer and see what's exchanged between client and server during login (redacted for brevity, some of the stuff that's sent back and forth is not really relevant to our discussion):
POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Content-Type: application/x-www-form-urlenblockquoted; charset=UTF-8 name=username%40contextname&password=somePassword
Let's go through this one thing at a time. Look at the first line:
POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
It's an HTTP POST that wants to do a login ( /ajax/login?action=login ).
POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
The first thing we have to look at is the client identifier (&client=...). The client identifier is com.openexchange.ox.gui.dhtml. The client identifier is used to differentiate between different client programs that use the same cookie store. For example one session in your browser is opened by the OX frontend and another one by a browser plugin. In order for the cookies used in session handling not overwriting each other, each client program provides its own client identifier, that is later used to construct the cookie names by way of the Cookie Hash.
POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
The second thing that jumps out is the Auth-ID and the Auth-ID that will show up in log files is eedc7ddf-8c4b-4ba4-b00d-88250574eee1. Whenever you have to track a login or logout request among different systems of your apache / OX server cluster, for example, the Auth-ID will come in handy. It's a unique String that shows up on the requests way through the systems.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
The User-Agent header is also used in constructing the cookie names used, or more blockquotecisely the Cookie Hash.
name=username%40contextname&password=somePassword
This line contains the parameters sent in the POST request. "name" is set to username@contextname, and the password is set to "somePassword". This information will be used by the authentication system to authenticate the user or deny the login request. Let's say everything goes right with our login attempts and look at the servers answer, again redacted for brevity and relevance to our discussion:
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; expires=Tue, 24-May-2011 13:28:59 GMT; path=/ Transfer-Encoding: chunked 90e {"session":"4bb7202edae54094855b5a545d7123c3","random":"fd367d5c15ca4914b280982422008c4d","modules": /* SOME STUFF */ } 0
The answer provides the client with the two parts it later needs to construct valid requests: The Session Secret and the Session ID. As you can see in this line, the session secret is transferred as a cookie:
Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; expires=Tue, 24-May-2011 13:28:59 GMT; path=/
Notice the name of the cookie, which always starts with open-xchange-secret- followed by the cookie hash that is normally calculated from the User-Agent header of the login request, and the value of the client parameter. The expiry time of the cookie is goverened by the cookie lifetime configuration parameter and whether autologin is permitted or not. As I tried this request on Tue, 17-May-2011, the cookie will live one week.
The Session ID is transmitted to the client in the response:
{"session":"4bb7202edae54094855b5a545d7123c3","random":"fd367d5c15ca4914b280982422008c4d","modules": /* SOME STUFF */ }
This session id will later be sent to the server in all requests as the session parameter.
Using a session
Let's look at the next request the UI performs:
GET /ajax/config/gui?session=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6
This requests retrieves certain configuration data. Notice the Session ID that is transferred as a request parameter and the Session Secret that is transferred as a cookie. Only when these two are part of the same session, will the request be accepted.
Storing a session for autologin
If the autologin feature is activated, the frontend will send a 'store' request. This will prompt the backend to save the session ID in a cookie:
GET /ajax/login?action=store&session=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6 HTTP/1.1 200 OK Set-Cookie: open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3; expires=Thu, 26-May-2011 12:46:59 GMT; path=/ Set-Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; expires=Thu, 26-May-2011 12:46:59 GMT; path=/ Transfer-Encoding: chunked c {"data":"1"} 0
This session will later be used by the backend to retrieve a session, when the browser does a reload.
Retrieving a session with autologin
One of the first things the frontend does after having been loaded by your browser is trying to revive a possibly existing session. For this, the frontend issues the autologin call:
GET /ajax/login?action=autologin&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 200 OK Date: Thu, 19 May 2011 12:47:42 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Content-Type: text/javascript; charset=UTF-8 Pragma: no-cache Cache-Control: post-check=0, pre-check=0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Transfer-Encoding: chunked 976 {"session":"4bb7202edae54094855b5a545d7123c3","random":"eebfe64f606447d6a64d26cacff35976","modules": /* SOME STUFF */
Note the cookie containing the Session ID, this cookie, formerly set by the 'store' call, is used to retrieve the session. If a session could be found it is returned, much like a regular login response.
Session hibernation for long running sessions
Starting with 6.18.2, OX supports long running sessions, that can be revived even after many days. To facilitate that, sessions that are not in active use are slimmed down and placed in a kind of 'hibernation mode'. Autologin can still reactivate these sessions while they don't take up as much memory as a regular active sessions. You can fine tune when a session is sent into hibernation, and when a session is discarded in the configuration.
Closing a session
Finally, and for completeness sake, a session can be closed by issuing a 'logout' request:
GET /ajax/login?action=logout&session=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; open-xchange-session-2H65ETpH7sX1kOWi6eyw=4bb7202edae54094855b5a545d7123c3 HTTP/1.1 200 OK Date: Thu, 19 May 2011 12:47:52 GMT Expires: Sat, 06 May 1995 12:00:00 GMT Content-Type: text/javascript; charset=UTF-8 Pragma: no-cache Cache-Control: post-check=0, pre-check=0 Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=b6727314bd3949579859ee8f327b24dd; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ Set-Cookie: open-xchange-session-2H65ETpH7sX1kOWi6eyw=09f43d699b2946808afefe667c91580b; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ Set-Cookie: JSESSIONID=0eb494cd2f364f9092596dba3c1ab33b.OX1; expires=Thu, 01-Jan-1970 00:00:10 GMT; path=/ Content-Length: 0 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive
Notice that the session secret cookie and the session id cookie are removed.